Microsoft has fixes for 50 security flaws in its June Patch Tuesday update and has released quality improvements and fixes for Windows 10 version 1803 or the Windows 10 April 2018 Update.

The KB4284835 update moves Windows 10 version 1803 to OS Build 17134.112 and addresses an issue that caused systems to start up in a black screen: "This issue occurs because previous updates to the Spring Creators Update were incompatible with specific versions of PC tune-up utilities after installation."

Among the other bug fixes, Microsoft has fixed an issue where firmware updates cause devices to go into BitLocker recovery mode when it's enabled, but Secure Boot is disabled or not present. This build now prevents firmware installation when a device is in this state.

Admins can install firmware by temporarily suspending BitLocker, installing firmware updates before the next OS startup, or by immediately restarting the device so that BitLocker doesn't remain in a suspended state.

Microsoft's June security patches, which are included in the new Windows 10 build, address flaws in Internet Explorer, Microsoft Edge, Windows, Office, the ChakraCore scripting engine, and the Adobe Flash Player flaw that was already being exploited in the wild.

There are 11 critical flaws and 39 flaws rated as important that are fixed, but only one of the bugs was publicly disclosed this month and none is known to be exploited.

Trend Micro's Zero Day Initiative (ZDI) on May 29 disclosed an issue with how Windows handled error objects in JavaScript, which could allow an attacker to execute arbitrary code. The bug, CVE-2018-8267, exceeded the ZDI's disclosure deadline.

Microsoft's advisory for CVE-2018-8267 notes that the flaw can be exploited through Internet Explorer or an Office document that hosts the IE rendering engine. A victim would need to visit a malicious or compromised website. Microsoft believes this bug is likely to be exploited.

Cisco's Talos Intelligence researchers highlighted three bugs that Windows users should patch promptly this month, including the publicly disclosed flaw and a remote code execution vulnerability within Windows Domain Name System (DNS), CVE-2018-8225.

"This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems," wrote Talos researchers.

"An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability." However, Microsoft notes exploitation of this bug is less likely.

The third key fix is for a remote code execution vulnerability affecting Chakra (CVE-2018-8229), which was found by Google Project Zero, and can be exploited through Edge. Microsoft believes this flaw is likely to be exploited.

Microsoft has also published new guidance on Windows mitigations for the Meltdown and Spectre flaws, and the related Spectre Variant 4 Speculative Store Bypass attack, CVE-2018-3639. To be fully protected, users and admins may have to take further action, Microsoft notes.

Already released mitigations for Windows 10 through to Windows 7 for Spectre variant 1, CVE-2017-5715, and Meltdown variant 3, CVE-2017-5754, are enabled by default.

On supported Windows Server systems, the mitigations are disabled by default and admins will need to take further steps to enable them.

An attacker who successfully exploited the vulnerability could execute commands with elevated permissions. However, the attacker would need physical access on a system with Cortana enabled.

Researchers from McAfee have posted a detailed account of how an attacker could use Cortana to search for sensitive information like stored passwords, and in some circumstances to execute code locally.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Related Topics:

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (witho...

Full Bio

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several Australian publications, including the Sydney Morning Herald online. He's interested primarily in how information technology impacts the way business and people communicate, trade, and consume.